Microsoft Says No To Paying Bug Bounties

Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."

Re:Translation:

[ergrthjuyt]

A lot of Microsoft teams have more test engineers than dev engineers. On more mature products, it has been this way for decades now. So your jab, while comical, is far from the truth.

Re:I wouldn't pay either

[drinkypoo]

I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs.

This is a false dichotomy. They have lots of other options, for example they could throw the money down the hole that is Microsoft's entertainment division, which has so far lost them billions of dollars.

Re:Or it could be because they would be bankrupt .

[sparrowhead]

...4) MS Customers are happy to pay for bugfixes

I've observed this myself when a consulting firm I worked with suddenly couldn't open an important presentation anymore. The fix cost them iirc around 3500 €. When asking them why they'd stay with a product that would render it's files unusable, they responded that they were actually pretty happy with the response time and the price didn't bother them at all.